[RndTbl] CVE-2023-41064

Gilbert Detillieux Gilbert.Detillieux at umanitoba.ca
Thu Oct 5 11:16:41 CDT 2023

More background info...


I didn't realize WebP had been around since 2010.  Yikes, that's a long 
time for a vulnerability to be hanging around, patiently waiting to be 
adopted by us trusting souls!

And, coincidentally...


... the company behind Pegasus has also been around since 2010.  Not 
going into conspiracy theory, but it does mean there has been a long 
window of vulnerability to be potentially exploited here, by very 
motivated (and well-funded) bad actors.


On 2023-10-05 10:48 a.m., Gilbert Detillieux wrote:
> On 2023-10-04 8:16 p.m., Trevor Cordes wrote:
>> Fun.
>> https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-imageio-webp-zero-days
>> If you have an Apple device, it must be updated.  If it's no longer
>> supported/updated, throw it away.
> See also...
> https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-rated-cve-to-libwebp-bug-exploited-in-attacks/
> https://www.bleepingcomputer.com/news/security/apple-backports-blastpass-zero-day-fix-to-older-iphones/
> ...

Gilbert Detillieux          E-mail: Gilbert.Detillieux at umanitoba.ca
Computer Science            Web:    http://www.cs.umanitoba.ca/~gedetil/
University of Manitoba      Phone:  204-474-8161
Winnipeg MB CANADA  R3T 2N2
For best CS dept. service, contact <cs-support at lists.umanitoba.ca>.

More information about the Roundtable mailing list